We put the IT in city®

CitySmart Blog

Tuesday, February 7, 2017
Brandon Bell, Network Infrastructure Consultant

Brandon BellImagine a small city with a small public safety department. Budgets are always tight and so they have used the same server they purchased back in 2003. Plus, both the police chief and the one-person IT vendor who they call on an hourly as-needed basis know this server well. They are used to it like the feeling a person gets when they sit in their favorite comfy chair.

However, extended support from the hardware vendor ended years ago. That means the operating system no longer gets security patches and bug fixes on a regular basis. The as-needed IT person checks the server every now and then for issues and makes sure nothing really bad happens to it.

Unfortunately, that became a harder job as time went on. Even in good times, the police officers all complained how their computers (which access the server) are so slow. The server froze a lot and the police chief often reset it. When the problems got really bad, they called the IT person who would inevitably fiddle around with the server until it started working again. The billable hours for this IT person kept increasing month by month, but the police chief thought, “It’s probably still cheaper than getting a new server.”

One day, the server just...stopped working. The police chief called the IT person and assumed the usual fiddling would get it back up. Well, the IT person fiddled...and fiddled...and fiddled. Nothing. The server became as useless as a stone.

“Not to worry,” said the police chief. “We back up to an external hard drive every day. Or at least mostly every day.” The IT person tried to recover the server’s data but found that the files were incomplete and some were corrupted. The backup wouldn’t restore.

As the IT person told the police chief that the data was lost, for good, a sinking feeling entered his stomach. Now, his job—and the public’s safety—was completely at risk. Lost evidence and records, risks to active investigations, how to respond to citizen and press requests, and thinking about what would happen if a lawyer calls were only a few of the things that came to his mind as he envisioned the horror of the next few weeks and months.

Preventing This Disaster

The police chief’s approach to using and maintaining a server offers up several lessons to help you avoid this nightmare. Use this story and the following error checklist to see if you’re headed for a disaster related to server failure.

Error #1: Using hardware over five years old.

You might skirt by in life using a 2003 car. But your city flirts with significant danger by using a 2003 server. In this story, the public safety server is so old that the vendor doesn’t even support it anymore. That means it can’t be professionally fixed, secured, or updated. It’s not a matter “if” it will break down, but “when.” And “when” can be any day if it’s over five years old. Your city needs to budget for and replace server hardware every 3-5 years.

Error #2: Relying on an as-needed, reactive IT support person to barely maintain the server.

Just enough to get by. In this story, that’s the attitude the public safety department takes toward the server that holds its most important data. At home, do you handle an ant infestation just enough to get by? “Hey, there’s only a dozen ants crawling in my bed tonight. That’s good enough.” Of course not. Through many methods from cleanliness to spraying, you proactively prevent ants from entering your home.

By just band-aiding the server when it acts up, the public safety department is always barely warding off an inevitable disaster (and racking up unpredictable billable hours). Instead, all servers need to be managed, monitored, patched, and later upgraded when they reach end-of-life. Proactive IT maintenance will also alert you if a server is showing signs of a likelihood to fail in the future—preventing a disaster before it happens.

Error #3: Ignoring red flags such as slow computers and freezing.

Why do you use technology in the first place? To help you perform your job better. If a car can’t get you to work, it’s not much use. If a server interferes rather than helps with work, then it’s not much use. Slow computers, frequent memory and storage limits, and an inability to use modern applications are all signs that your equipment needs replacing before it fails.

Error #4: Failing to test data backups.

In the worst-case scenario, the server fails and your data is lost. Data backups can have problems and there are many reasons why data backups encounter possible issues. The city in our story did not test their data backups and assumed they were working. Even if a city does cling to an old server that’s soon to fail, they need to back up and test the backup on a regular basis to ensure that they can recover the data in case of a failure.

For a variety of reasons, sticking with an old server until it dies is not wise. Information security risks, slowed productivity, wasted billable hours, and lost data are only a few of the pitfalls. Modernize your technology and switch to a proactive IT support vendor to ensure that your servers don’t just fail one day and cripple your city.

Tuesday, January 31, 2017
Jabari Massey, Network Infrastructure Consultant

Jabari MasseyImagine that a city employee who works in the finance department opens their email in the morning. As they check their email, they see one message that seems to come from the city manager. Without thinking, the employee clicks on a zip file attachment assuming that it’s an important set of documents related to a meeting that day.

This employee is not technically savvy, so they are not too alarmed when they see something downloading onto their computer. A window pops up that says to accept something. The employee clicks “yes.”

Within seconds, a chill goes down their spine. Something is wrong. Multiple pop-up windows appear on the person’s computer screen and a new program seems to be running in the background. The employee tells their supervisor, and the supervisor places a call to their reactive IT support vendor who says they might be able to stop by tomorrow.

A day passes while the employee manages to continue doing work that involves accessing software on the city’s financial server. But the employee’s computer continues to slow to a crawl until they can’t use it anymore. The city manager persuades their IT vendor to send someone over today instead of tomorrow.

A junior IT support person arrives and pokes around on the employee’s computer. “Yep, there’s a problem,” they confirm. Figuring it’s a virus, they restart the computer and go into “safe mode” to try to eliminate the virus. Plugging into the financial server to make sure it’s working properly, the junior IT support person now gets a chill down their spine.

They cannot access any data on the financial server because it’s also infected with the virus.

Panic ensues. The junior IT support person calls a senior IT support person. By then, it’s too late. Both the server and the employee’s computer had not been patched in a while, and so many recent security patches had not been applied. Plus, the city runs a free version of some antivirus software that’s only updated when the IT vendor sends someone on site.

“Thank goodness there’s a data backup of the server,” says the city manager. But when the IT support vendor tries to restore the financial data from the backup...that backup doesn’t work. At all. “But we’ve been backing it up manually at least once a week,” says the city manager.

“Have you tested the backup?” asks the senior IT support person.

“No,” says the city manager. Everyone now realizes a nightmare scenario became real. The city’s financial data is lost. Permanently.

Preventing This Disaster

Some variation of this story is all too common for many cities. The good news? Cities can easily prevent a devastating virus attack by addressing some of the errors committed in this story.

Error #1: Lack of business class antivirus software.

Notice the reference in the story to free antivirus software? Many cities try to save money by installing a free, consumer-grade version of antivirus software on computers. This is a mistake because consumer-grade antivirus software is not sophisticated enough to protect city data at the server level. That usually leaves servers unprotected and computers reliant on employees making the updates.

Error #2: Reactive IT support not maintaining and monitoring servers and computers.

The IT support people in our story weren’t getting paid to do ongoing, proactive IT support. Thus, they only updated the antivirus software when the city called on them for an onsite visit. Plus, it appeared that they did not have a process in place for regularly updating the antivirus software and testing the city’s data backups. Experienced IT professionals need to regularly audit antivirus software to confirm that it’s installed on every machine and that virus definitions (which help detect nearly all known viruses) are up to date.

Error #3: An employee clicked on an email attachment.

You might have thought we’d mention this error first. However, your employees cannot be the front line for preventing viruses. We all occasionally make mistakes by clicking on a malicious email attachment or website. That’s why you need a strong foundation in place—business class antivirus software, regularly tested data backups, and proactive IT support—to stop as many viruses as possible from activating. And even if an employee clicks on something malicious, you need to be able to recover from a virus that has been activated.

Because a virus can still get through strong defenses, employee training is a must. Train your city staff about common sources of viruses such as email attachments, websites, online software, and games. With training, you can make your employees more aware about online threats that are easy to avoid if they know how to spot them.

Concerned about a virus crippling your city? Reach out to us today.

Tuesday, January 24, 2017
Ryan Warrick, Network Infrastructure Consultant

Ryan WarrickBefore you start reading this post, take our short password self-assessment.

  1. Do you have your password written down somewhere on your desk to help you remember it?
  2. Do you use a simple, easy-to-remember password (such as your kid’s name, your pet’s name, or your birthdate)?
  3. Do you use the same password for many websites and applications you access?
  4. Do you share your password with co-workers just to make things easier?
  5. At work, do you save your passwords on your web browser so that you can log in without typing your password?

If you said “yes” to any of these questions (or feel as a supervisor that your employees would answer “yes”), then you’ve got a security risk on your hands.

Why? First, simple passwords are easier to crack. Nowadays, even inexperienced hackers have access to automated password cracking software. This software can easily crack short, common, and simply constructed passwords with ease.

Second, writing down or sharing passwords with co-workers may give others unauthorized access to data and applications. What if a disgruntled employee sees your password on your desk? What if someone you think is a trusted employee uses the password you share with them to gain access to unauthorized information?

Finally, even saving passwords on your web browser (like you do at home) is not wise when working for a city. All it takes is an unauthorized person to sit at your computer or a hacker to gain access to your device to access sensitive information on applications that you use.

So, what do you and your employees need to do? Implementing the following best practices will help plug these security gaps.

1. Do not write passwords down and leave them visible.

This is an easy security tip but you need to make sure employees follow it. If they have trouble remembering their passwords, then suggest they write them down on a piece of paper and keep it in their wallet or purse—like how they protect their driver’s license, credit cards, and money from public view.

2. Use a password on all devices.

Many employees often use passwords on their desktop computers but it’s easy to forget to set up a password on laptops, tablets, and smartphones. Mobile devices are perhaps even easier from which to steal information. A thief or disgruntled employee can steal a smartphone in seconds and quickly gain unauthorized access to city email and applications. Protect all devices with passwords.

3. Do not use simple or obvious passwords.

Instead, use strong passwords such as long passphrases (like “The brown fox is 2fast!”) or complex passwords consisting of a mix of letters, numbers, and special characters. Strong passwords go a long way toward preventing hackers from getting into city applications. And if your password is one of the top 25 worst passwords below (according to Splashdata), change it NOW!

4. Do not save passwords to websites and applications.

You may do this at home so that you can easily stay logged into your favorite websites and applications. However, you don’t want to do this at your city. If someone gets access to your device, then they can gain access to unauthorized information without even needing to crack a password. Enforce a policy at your city that employees cannot save passwords on even their most frequently used applications.

5. Change passwords regularly.

Yes, this annoys employees but it helps with security. The longer a password is in use, the more likely that hackers will be able to crack it. The more you change passwords, the more difficult you make a hacker’s job.

6. Do not use the same password for all systems you access.

We know—another annoyance! But think about it. Let’s say an employee uses the same password for five different software applications that give access to confidential information at your city. If a hacker or disgruntled employee gets one password, then they have access to all five applications. Mitigate the chance of a data breach by requiring different passwords for each application.

Cybersecurity continues to evolve. In the future, passwords may go away and get replaced by different forms of authentication. But in the meantime, passwords are here to stay and they often represent a gaping security hole for hackers. By following the best practices outlined above, you will make your city’s cybersecurity much stronger.

Questions about the state of your city’s cybersecurity? Reach out to us today.

Wednesday, January 18, 2017
Victoria Boyko, Software Development Consultant

Victoria BoykoLike the tree in the proverbial forest that no one hears when it falls, do you think that anyone “hears” your city website in a forest of internet information? In many cases, probably not. That’s unfortunate because city websites already have a few advantages that other businesses and organizations would love to have.

  • City websites are highly trusted.
  • People will search for information on your website. You’ve already got a ready audience of hundreds or thousands of people.
  • People often need your information such as news, event postings, city council minutes, or services. You’ve already got demand for your information.

Yet, many city websites seem nonexistent and disappear on the internet when people search for them. Remember that most people will look for your website on a search engine such as Google or Bing. To show up on the first page of search results, your website must follow a few best practices and show constant activity to prove to these search engines that your website is trusted, useful, and relevant.

How can your city website emerge from the internet forest? Here are a few tips.

1. Share a link to your website with reputable organizations.

Because you are a city, many organizations want to link to your website. If people are researching for city-related information on another website, then you want your city’s website listed there to help people find you. Examples of websites where you want your city’s website listed are:

If there isn’t a self-service feature to upload your own website link, then reach out to the organization and ask if you can provide a link to your city’s website. Many of these organizations will be more than happy to oblige. Make sure you focus on reputable websites. Don’t reach out to sketchy, suspicious, or little-used websites and online directories that may harm rather than help you.

2. Share links to timely and interesting city information on social media.

Facebook. Twitter. YouTube. Use them if you can. Many of your citizens and other people interested in your city use these social media sites all the time. Share timely information such as emergency alerts, news, press releases, events, and photos. Any urgent or newsworthy information will be useful to people and they are likely to share it.

When people share your links on social media, it helps your website feature more prominently on search engines. Don’t be afraid to ask people to share posts on social media by including a “call to action” (such as “Tell a friend!”).

3. Share your website link with newspapers and magazines when they write up stories about you.

Another advantage for cities is that they are automatically of interest to media. When newspapers, magazines, and industry publications report on news or write up stories about you, make sure you provide your website link for them to feature on their websites. Media outlets are usually highly reputable sources on the internet. When reputable media publications link to your website, the search engines will see it as a sign to display your website higher up in search results.

4. Link to other websites on your city’s website.

To get links, you must give links. If there are pages on your website where it would be useful to provide links to other websites, then do it. For example, you might provide links to tourist attractions or websites that help people find jobs. Linking to another organization’s website makes it more likely that they will reciprocate and link back to you. However, don’t abuse the sharing of links. Make sure each link provides useful information to people.

5. Produce regular, timely, useful content on your website.

Search engines don’t like dead or stagnant websites. Those kinds of websites disappear in search results. That’s because Google or Bing considers those websites as not useful or vital—rather like an abandoned house. If you want people to find and link to your website, then you need to provide a stream of timely, useful content for people. That can help supply your social media feeds with new information and keeps people coming back to your website in anticipation of new content.

Start with these five tips and you will begin to see your city’s website rise in visibility on search engines, social media, and other organization’s websites. This process can take a while but the steady investment of time is worth it. After all, you want your website to be seen. These tips will help you make it happen.

Questions about getting your city website more visible and out there in the world? Reach out to us today.

Wednesday, January 11, 2017
John Miller, Senior Consultant

John MillerIn Part One, we talked about warning signs such as lack of data backup, aging hardware, and non-technical staff handling IT issues. In Part Two, we discuss five more warning signs that may lead your city toward a disaster.

Warning Sign #6: Unknown IT assets and inventory.

One of the most overlooked security risks is simply not knowing the total amount of hardware and software you own. And even if you do know that you own something, you may not know where it’s located. You can only secure what you can locate.

Disaster: On a two-year-old spreadsheet that lists 20 laptops, you can only track down the location of 17. You had not updated this spreadsheet in a while and you are not sure if a former employee walked off with the laptops. Because the laptops contained sensitive information, you may have a potential data breach on your hands.

Prevention: Part of asset management includes monitoring and maintaining any “live” hardware, software, and networking equipment. If you’re not using an asset anymore, then it needs to be decommissioned by an IT professional. Asset management also includes technology-related warranties, licenses, and upgrades.

Warning Sign #7: Reactive IT support putting out fires.

Imagine someone arrived at your house every week to make continual bare bones fixes to your roof, floors, or plumbing. You barely keep leaks, pests, and the outside elements at bay. Would you consider that a proper home? Instead, if a major problem occurs then you likely eliminate it once and for all by addressing the root cause. Yet, many cities put up with reactive IT support that never fixes the root cause of serious problems.

Disaster: After a lot of publicity, you offer a new payment system on your city’s website for citizens. Within weeks of its debut, the website continually crashes. For months and months, your reactive IT support vendor makes temporary fixes but the root problem keeps occurring. Citizens grow frustrated and complain to city council about wasted taxpayer dollars going to online services that don’t work.

Prevention: Ongoing, proactive IT support not only more quickly addresses technology issues but it also involves IT professionals implementing modern technology and best practices to eliminate issues before they occur. In the case of our website example, a proactive IT support team might upgrade an aging website or revisit what vendor hosts the website.

Warning Sign #8: Unknown network hardware configuration.

Network hardware helps ensure that your technology is secure, connects you to the Internet, and ties together technology between various city buildings and departments. When IT professionals don’t oversee the setup of firewalls, switches, routers, and other networking equipment, then you can open yourself up to major security threats.

Disaster: A non-technical city employee buys a firewall and sets it up. While the employee has a bit of amateur technology savviness, they improperly configure the firewall. Ports are open that allow hackers to easily gain access to city servers and steal information.

Prevention: Trained IT professionals need to configure all network hardware so that it works properly and keeps you secure. Then they need to monitor, maintain, upgrade, and replace network hardware as part of your ongoing technology support.

Warning Sign #9: No one monitoring and maintaining technology.

While related to the reactive IT support point above, this problem still often appears even when some “proactive” IT vendors serve cities. Technology monitoring and maintaining includes patching, upgrading, and threat monitoring.

Disaster: An employee keeps complaining that their computer has gotten slower and slower and slower over a period of six months. The IT vendor checks some type of diagnostics and says things look fine. They even suggest that the Internet service provider might be having issues. One day, the employee clicks on a malicious website by accident and gets a virus that leads to a data breach. After a virus cleanup and audit, an IT professional notices that the computer had not been patched in six months—including various important security patches that would have prevented the virus from getting accessed or downloaded.

Prevention: Ongoing patching, upgrading, and threat monitoring allows IT professionals to detect anomalies and address problems before they become disruptions. Keeping technology updated often fixes major security and functionality issues.

Warning Sign #10: Physical security for technology is weak.

Servers in offices where anyone can wander in. Computers left on so anyone can sit down and access sensitive information. Wireless routers left out in the open. These are signs of weak physical security for technology. Often overlooked in lieu of information security, data breaches related to physical security are just as important to prevent.

Disaster: After hours, a disgruntled employee sits down at another employee’s computer to steal confidential personnel information about staff on the city’s payroll. The data breach is later deduced through security camera footage.

Prevention: We recently talked at length about physical security policies. At a high level, you need to lock up core technology (such as servers and networking equipment) in secure rooms, escort any visitors, and require employee computers to lock after a few minutes and request a password to log back in.

Use these 10 warning signs (including those from Part One) as a self-assessment to see if you’re headed for a disaster. If you notice any weak points, don’t wait to fix them. Waiting until a technology disaster is like leaving your door unlocked at home or going without car insurance. The costs of a technology-related disaster at a city can seriously harm your operations, employees, citizens, and bottom line.

Reach out to us today if any of these warning signs worry you.

Thursday, December 22, 2016
John Miller, Senior Consultant

John MillerWaiting until a disruption or disaster should not be the moment when you take action. Think about how you act proactively when dealing with many aspects of your life.

  • Car service and maintenance to lessen the chance of an accident.
  • Health checkups, exercise, and a good diet to lessen the chance of a heart attack or stroke.
  • Repairs and maintenance on your house to prevent the effects of flooding, thunderstorms, leaks, or safety hazards.

Yet, technology at a city often gets treated like a beater car you’re driving into the ground, a person never exercising and eating whatever they want, or a house that you just let decay and rot over time with minimal upkeep. Why?

Too many times, we see cities only take action when a disruption or disaster hits. That’s way, way too late. Let’s look at some scenarios that might strike a chord with your city. If any of these scenarios speak to you, then you need to act. Now.

Warning Sign #1: No data backup testing.

If you have data backup and you’re not regularly testing it, then you may be in for a surprise.

Disaster: Your city has some kind of data backup process but rarely or never tests it. A server fails containing all of your financial data. You grab your tape, external hard drive, or other form of data backup and attempt to restore the data. It doesn’t work. It’s gone.

Prevention: Every city needs a combination of both onsite and offsite data backup to recover from both small events (like a server failure) and bigger disasters (like a tornado). Then you need real-time monitoring to identity issues and (at a minimum) test your data backup quarterly.

Warning Sign #2: No policy and procedures involving website hosting.

Too many cities still find themselves in situations where a third party webmaster is the only person with knowledge about the city’s website hosting. Another common situation is when the city surprisingly learns the vendor is no longer available or not even there.

Disaster: A webmaster gets angry at the city and holds the website hosting information hostage. The city cannot access its website on the back end to make changes or regain administrative control. In this situation, the angry webmaster could even shut the website down.

Prevention: IT professionals can help cities acquire and manage a city domain name, set up website hosting with a reputable service provider, and give administrative access to authorized city staff to avoid “hostage” situations.

Warning Sign #3: Aging hardware and software.

Unlike other long-lasting physical assets, technology assets often have relatively short lifespans. Hardware and software often needs replacing every three to five years because it gets old and outdated, is no longer supported by the vendor, and becomes unsecure.

Disaster: A 15-year-old server critical to running city operations fails (such as your accounting and financial system).

Prevention: Cities need to follow a hardware and software lifecycle management policy that mandates modernizing technology (such as upgrading servers at least every five years).

Warning Sign #4: Free or consumer-grade antivirus software.

Free or consumer-grade antivirus software isn’t adequate for protecting a city. Plus, it’s often “maintained” by individual employees who don’t keep the software up-to-date on their computers.

Disaster: An employee clicks on an email attachment that seems like it comes from their boss. Because the antivirus software hasn’t been updated for a few months, the email attachment initiates a virus that gives a hacker access to sensitive city information. A massive data breach occurs.

Prevention: Cities need enterprise-grade antivirus software that’s monitored and maintained by IT professionals. This ensures that it’s always up-to-date and preventing as many virus threats as possible.

Warning Sign #5: Non-technical staff handling IT problems.

As a way for cities to save money and quickly handle operational items, non-technical employees sometimes step in to handle IT problems. But that lack of expertise makes their actions risky and dangerous—even if they have good intentions.

Disaster: A non-technical employee sets up a wireless router incorrectly. Through the security holes in the router, a major data breach ensues when hackers are able to access confidential information on the city’s network.

Prevention: Trained IT professionals need to handle the intricacies of technology—from data backup to configuring hardware such as a wireless router. Just because you can buy consumer-grade equipment from a retail store doesn’t mean that it’s appropriate for your city.

In Part 2, we’ll talk about five more disasters that are waiting to happen. If you feel vulnerable and you don’t want to wait to fix these vulnerabilities, then reach out to us today.

Tuesday, December 13, 2016
Dave Mims, CEO

Dave MimsEvery day, your city relies on applications to perform various jobs. Your employees may use basic applications such as a web browser or a word processor to perform common tasks. Other people with more specific duties may use specialized applications such as accounting software or a records management system.

No matter what kind of application you use, the security of that application must be rock solid to avoid a data breach. Never simply assume an out-of-the-box application is secure or that a software vendor has made the right security choices for you. While application security is a complex topic, we present five important areas that your city must consider with its policies.

1. Third party access to your applications

Yes, this even includes what your software application vendors may access. Just because they sold you accounting software doesn’t mean that the vendor’s employees can look at all of your city’s payroll data. Work with your IT staff or vendor to oversee user access and authorization—including for third party vendors and contractors.

2. Encrypting data

When necessary, you need applications to encrypt data. Even a basic web browser should encrypt web pages containing sensitive information. When creating documents and reports (such as PDFs), an application should allow you to encrypt particularly sensitive information so that unauthorized users cannot read it. And of course, any sophisticated application dealing with financial, public safety, or other sensitive and confidential data needs encryption.

3. Closing up security gaps when applications integrate and interact with each other

A chain is only as strong as its weakest link—and that is true of applications. It doesn’t matter if your financial application’s security is airtight. If it’s connected to another application within your city or to a third party application, then security holes within those other applications and increase the risk of a data breach for your application. Make sure your IT staff or vendor assesses where your applications are connecting and ensures that your information is treated with the same care when it’s exchanged with another party.

4. Locking down access to application data by unauthorized users

Whether it’s a citizen getting access to an application through your website or an entry-level employee accessing basic information to do their job, those people should not be able to destroy or disrupt applications. For example, let’s say an employee accesses a part of your document management system to “view” the employee handbook to see information about paid time off or sick leave. Since they only have “view” rights and privileges, they should not be able to delete or make changes to the document such as increasing the city's paid time off or sick leave policies. Only the person with “edit” (or greater) rights should be allowed to alter the document. And only trained IT professionals and software vendors with authorization should be able to access the “guts” of your applications to configure and administer them.

5. Preparing for the worst through a data backup and a disaster recovery plan

Many of your applications not only store sensitive data but also help run your city operations. First, you need a plan to back up your data so that it’s not forever lost. You can accomplish that through a data backup plan that includes both onsite data backup (for quick time to recovery after an onsite incident) and offsite data backup (for disaster recovery). Second, and just as important, is your business continuity. Some applications—such as your public safety software or city’s website—may serve such a critical role that you need them up and running within minutes or hours after an outage. Your application security policy needs to outline the minimum length of an outage for each application and a plan for restoring functionality in case of a disaster.

Nowadays, applications often form the lifeblood of a city. Many operational activities and citizen services are conducted through applications. Because they store and share such sensitive data, you need to protect those applications. Strengthen the five areas we discussed above and document your high standards in an application security policy for your city.

Questions about your application security? Reach out to us today.

Thursday, December 8, 2016
Brian Ocfemia, Technical Account Manager

Brian OcfemiaObviously, most cities use a form of software for accounting activities. But imagine if your entire city accounting system is run on a bunch of simple electronic spreadsheets. You open one up and start entering data. What could go wrong?

You probably just thought about many things.

  • Errors left unchecked.
  • A risk of deleting data that others have inputted.
  • A risk of someone changing mathematical formulas that compute results.

Thank goodness you have that accounting software instead of a bunch of spreadsheets. Yet, the Arkansas Division of Legislative Audit reports that “data integrity” is the number one information security issue they found in the audits they performed. They define data integrity as the “ability of employees to change receipt or disbursement information after issuance or to edit or delete records without proper approval.”

So even despite using software in many cases, cities still struggle with data integrity issues like the ones that could happen in a simple spreadsheet. Let’s look at a few ways to assess, fix, and overcome some common data integrity issues.

1. Audit your data input processes and assess the feedback.

Whether your state requires an audit or not, it’s helpful to audit your financial systems to identify data integrity issues. An experienced third party can evaluate overall processes and issues with who may input, change, and delete data. On a technical level, the auditor should also look at the underlying rules, code, and logic that allow for data input.

2. If needed, fix or modernize your application.

Usually, something will come up in the audit that needs fixing. You may also find that the auditor recommends modernizing with a new system (especially if an older system lacks appropriate data integrity measures). Arkansas doesn’t mince words when it says, “We recommend that application users work with the application vendor to modify the software to include the data input edits that would eliminate vulnerabilities.” Whichever route you go, work with experienced IT professionals and application vendors to oversee any fixes, changes, or implementations of new applications.

3. Set up proper controls and processes.

Whether fixing your current application or using a new application, you want to ensure that it has the proper controls and processes in place to prevent the chance of data input errors or fraud. For example, once paychecks go out, an employee shouldn’t be able to change payroll data after the fact or delete the record of that payment.

4. Limit access to critical transactions.

Any critical transaction—such as issuing a payment or deleting a record—must require a higher-level access to accomplish. Too many systems allow any employee at any authorization level to make changes. That increases the chance of major errors and increases the risk for fraud. Exceptions will happen, but those exceptions need to be inputted by authorized people with higher-level access and logged.

5. Put field edit checks in place to reduce errors.

Even normal day-to-day data input risks lower data integrity if fields aren’t set up and restricted in appropriate ways. For example, in a payroll application you may reduce errors if:

  • Important fields are required (and you can’t leave them blank)
  • Fields autocorrect (such as hours worked or a check routing number)
  • Fields autofill (such as employee name, hourly wage, or settings that stay the same every week)

Data integrity is an overlooked area of security. You’re typically on the lookout for hackers and data breaches, but a lack of data integrity—missing information, no controls over data, and making it easy to change or delete data—can sneak up on you and lead to serious problems. Don’t wait until an audit to find these issues. Address them by taking a hard look at your current applications with a trained third party and fix any issues that you find.

In total, this three-part series about application policy and security addresses input, processing, and output. You can use these three articles as a checklist to see if you’re matching up to data security best practices.

Questions about data integrity? Reach out to us today.

Thursday, December 1, 2016
Brian Ocfemia, Technical Account Manager

Brian OcfemiaAs a follow-up to my post about data processing, this post discusses data output. For those who are not data-savvy or immersed in the world of data, it might seem like output is just output, right? No need to worry about output if you do input and processing correctly, right?

Not the case! Data output offers up some unique security risks and challenges that you need to fend off. Here are a few data output areas to assess.

1. Access to confidential information

When data output gets seen or delivered to a person—whether it’s city staff looking at a paper report or a citizen using your city’s website—that data must not reveal confidential information. For example, it should never be easy to see a social security number online with only a few data inputs. Or, personnel records should not be made available in a paper report that may get passed around to unauthorized people. Place controls over who sees outputted data.

2. Availability of data output

For employees and citizens who need to see certain information, data output needs to be highly available. That means your hardware and software needs to perform at a high standard. Lack of availability to data affects the jobs of your employees and interferes with citizen services (such as paying property taxes online).

3. Formatting, reports, and analysis

Ever run a report and get a spreadsheet full of gobbledygook and unstructured, unformatted data. Outputted data is not helpful if it can’t be read or interpreted. The end result of data input and processing must be understandable and usable. Work with your software vendors and IT staff or vendor to ensure that you receive data output in a digestible, user-friendly form.

4. Monitoring

Similar to our suggestions for data input and data processing, it’s always a good idea to monitor data output. Not only do you help quality control by detecting errors and anomalies but you also stay alert for security risks and breaches.

5. Compliance

In addition to security and usability, cities must also ensure that they comply with all federal and state laws. This includes laws that balance privacy (such as keeping personal information like social security numbers private) with freedom of information. Data breaches can occur and lead to fines and lawsuits when outputted data gets in the wrong hands as a result of careless policies and procedures.

When considering these best practices, it’s clear that a few patterns emerge.

  • Rely on monitoring and automation to eliminate errors.
  • Seek help from IT professionals and software vendor support.
  • Create clear policies and procedures to comply with the law and lessen security risks.

Questions about securing your data? Reach out to us today.

Friday, November 18, 2016
Brian Ocfemia, Technical Account Manager

Brian OcfemiaData processing is a complex topic involving lots of technical know-how. Experts have written books about it and IT professionals spend their entire careers staying up on its developments. For this post about data, we’ll focus on a few key critical data processing concepts that especially impact security and need to be addressed in your application controls policy.

Overall, your data processing is the bridge between your data input and output. Now let’s look at some important data processing aspects.

Transaction Logs

These logs record all electronic information about transactions that take place within an application. For example, you may enter payroll information each week into your accounting application for each employee. Each completed set of data that you input for each employee counts as a transaction if the data is processed between, for example, your system and a bank.

Transaction logs must match what are known as “source documents.” For example, payroll information may originate from a timesheet (either on paper or sent electronically). If the timesheet and the paycheck doesn’t match, then there may be a transaction error. Experiencing many transaction errors may indicate a problem with your application or with the way your employees are using it.

Edit Reports

Edit reports note incorrect information, incomplete information, and errors about transactions. It’s important to run these reports for your most critical applications to make sure that transactions are accurate. For example, edit reports are useful when you’re sending out paychecks, tax information, or utility bills. You can then note any errors and make fixes before officially completing the transactions.


Applications are designed to accurately capture information and ensure high data quality. Your override procedures need to be strict and for exceptions only. Don’t abuse an override function just to get around inconveniences. In addition, and as a security precaution, it helps to monitor overrides along with all other logging information to look for patterns and possible security violations.


In case of a power outage, a data interruption, or lags between different applications, your applications need to reconcile inputted transactions with your database. For example, if 10 users submit utility billing information onto your website while you’re having a server outage, those 10 transactions should reconcile to your database once your server is back up. Also, reconciliation applies from an accounting perspective. You need reconciliation processes in place to ensure that your general and subsidiary ledgers match up.


Experienced IT professionals should monitor everything related to your data processing such as:

  • Transactions and processing
  • Errors and incorrect information
  • Overrides
  • Unauthorized use of the application (especially when it appears that someone is altering data or ignoring/tampering with processes)
  • Reconciliations
  • Application performance (such as after a power outage or server failure)

Any data processing policy needs to be reviewed by business and application stakeholders to make sure you are complying with the law and using best practices. In a future post, we’ll look at data output—the final stage of data after it’s inputted and processed.

Questions about the security of your data processing? Reach out to us today.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 |